Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IpSec - poor performance in one direction

    IPsec
    2
    8
    7.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rkelleyrtp
      last edited by

      Greetings all,

      I am running into an ipSec performance issue and cannot pin-point the cause.  I have two sites connected via ASA-5505 and pfSense 1.2.3-RELEASE using an ipSec tunnel.  The tunnel is active and we can ping/copy data between sites with no problem.  However, copying data from Site-A site to Site-B over the tunnel seems to be capped at 750Kb/sec while copying data from Site-B to Site-A copies at appropriate speeds (4Mbps up/down).  In addition, if I copy data form Site-A to Site-B without using the ipSec tunnel (sftp via NAT port forwarding on pfSense firewall), traffic copies at the appropriate speed.

      Whats strange is if I copy files from Site-B to Site-A outside the ipsec tunnel (port forward SSH), the data is copied at the appropriate speed.  So, it appears something is throttling the ipsec tunnel from Site-B to Site-A.  A crude picture looks like this:

      SITE-A                          Internet Cloud                        SITE-B
        /–----------------------\            /----------------\            /--------------------------
        |Sun-Server <--> ASA-5505 |<==========|== ipSEC TUNNEL ==|=========>|  pfSense <--> Sun-Server  |
        ------------------------/            ----------------/            --------------------------/

      So, in summary:

      • Site-A to Site-B via ipSec tunnel = slow

      • Site-B to Site-A via ipSec tunnel = fast

      • Site-A to Site-B outside ipSec tunnel = fast

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You can try tweaking the settings for scrub, and setting a lower MTU on the WAN, but what you are seeing is a fairly common complaint when hooking up to Cisco gear.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • R
          rkelleyrtp
          last edited by

          Thanks Jim.  What scrub settings should I look for?  I have done this exact config in the past and don't remember any speed-related issues like this.  Perhaps my ASA config needs to be tweaked slightly…

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Under System > Advanced there is a checkbox to disable/enable scrub.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • R
              rkelleyrtp
              last edited by

              Thanks, but that did not change anything.

              But, I did find something odd.  If I changed the WAN MTU to 1400 on the ASA, I can no longer copy large files from the ASA to the pfSense network over the VPN tunnel.  In fact, I changed both ends (ASA and pfSense) to 1400 and could not get an scp (secure copy) from the ASA side to the pfSense side.  This seems very strange to me.  I had to change the ASA side back to 1500 to get traffic running again.

              Does this ring a bell?  Is this a known behavior?

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Sounds familiar, but sadly I don't recall the specifics offhand. You may need to do a packet capture on the IPsec interface and look at it in wireshark to get a better idea of what is happening.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • R
                  rkelleyrtp
                  last edited by

                  Thanks Jim.  Let me see what I can find…

                  1 Reply Last reply Reply Quote 0
                  • R
                    rkelleyrtp
                    last edited by

                    Just to follow-up on this…

                    Turns out, the internet link was 10M/768K instead of 4M/4M.  So, pfSense and the Cisco ASA were working exactly as they should worked.

                    Thanks again Jim for all the help/pointers...

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.